How Bad Authorization Design Put 200,000+ Students at Risk
How I discovered a chain of IDORs in a public education platform used by every FP student in Catalonia, chained them into a full account takeover, and reported it responsibly.
Blog
Technical notes. Irregularly updated.
The Python Toolchain I Use in Production: uv, ruff, and ty
Why I replaced pip, black, flake8, and mypy with a single stack from Astral, and how I integrate it in CI/CD with GitHub Actions.
How I Structure FastAPI Projects in Production: and Why
What most FastAPI tutorials skip: how I structure routes, services, exceptions, logging, and multi-tenancy in a production B2B SaaS, and the reasoning behind each decision.